Thank you for your contribution to Astropy! 🌌 This checklist is meant to remind the package maintainers who will review this pull request of some common things to look for.

• Do the proposed changes actually accomplish desired goals?
• Do the proposed changes follow the Astropy coding guidelines?
• Are tests added/updated as required? If so, do they follow the Astropy testing guidelines?
• Are docs added/updated as required? If so, do they follow the Astropy documentation guidelines?
• Is rebase and/or squash necessary? If so, please provide the author with appropriate instructions. Also see instructions for rebase and squash.
• Did the CI pass? If no, are the failures related? If you need to run daily and weekly cron jobs as part of the PR, please apply the "Extra CI" label. Codestyle issues can be fixed by the bot.
• Is a change log needed? If yes, did the change log check pass? If no, add the "no-changelog-entry-needed" label. If this is a manual backport, use the "skip-changelog-checks" label unless special changelog handling is necessary.
• Is this a big PR that makes a "What's new?" entry worthwhile and if so, is (1) a "what's new" entry included in this PR and (2) the "whatsnew-needed" label applied?
• At the time of adding the milestone, if the milestone set requires a backport to release branch(es), apply the appropriate "backport-X.Y.x" label(s) before merge.

👋 Thank you for your draft pull request! Do you know that you can use [ci skip] or [skip ci] in your commit messages to skip running continuous integration tests until you are ready?

error[dangerous-triggers]

Well, not like I did it for fun. We need extra access to post comment on PR. Will the zizmor dev able to give advice?

Apparently he's very reactive yes. So I heard.

Do we want to add this to the pre-commit? https://github.com/woodruffw/zizmor/blob/a3e84e6564e6025ce4c5e7bb3ab024d5dbf62901/docs/usage.md?plain=1#L106-L130

pre-commit

Is that necessary? We do not add new workflows often.

very reactive yes

Is that good or bad? 😅

Do we want to add this to the pre-commit?

oooh I didn't see there was a pre-commit hook already.

Is that necessary? We do not add new workflows often.

Sure, but zizmor might add new checks in the future (the tool is extremely new), that we might want to know about sooner rather than later.

Is that good or bad?

good !

zizmor 0.6 now supports # zizmor: ignore[rule] comments, so, we could leverage it to ignore the one dangerous-triggers violation we have and add the pre-commit hook to catch future breaches !

I guess doesn't hurt...

pre-commit.ci is having issues building zizmor 0.6.0 (and I have to confess I did to; I needed to update rust on my system), so I guess we should hold on that pre-commit hook...

Owee, I'm MrMeeseeks, Look at me.

There seem to be a conflict, please backport manually. Here are approximate instructions:

1. Checkout backport branch and update it.

git checkout v7.0.x
git pull

2. Cherry pick the first parent branch of the this PR on top of the older branch:

git cherry-pick -x -m1 803c7bd20dae347d99aab8980119c364c5b48610

3. You will likely have some merge/cherry-pick conflict here, fix them and commit:

git commit -am 'Backport PR #17315: SEC: fix security breaches in GHA workflows detected with zizmor'

4. Push to a named branch:

git push YOURFORK v7.0.x:auto-backport-of-pr-17315-on-v7.0.x

5. Create a PR against branch v7.0.x, I would have named this PR:

"Backport PR #17315 on branch v7.0.x (SEC: fix security breaches in GHA workflows detected with zizmor)"

And apply the correct labels and milestones.

Congratulations — you did some good work! Hopefully your backport PR will be tested by the continuous integration and merged soon!

Remember to remove the Still Needs Manual Backport label once the PR gets merged.

If these instructions are inaccurate, feel free to suggest an improvement.

@neutrinoceros backport would be nice but not critical, so if you don't feel like manual backporting, feel free to change milestone. Thanks!

I'll try a manual backport tomorrow !